Hi, https://fedorahosted.org/sssd/ticket/1635 was reopened because the provided patch didn't fix the problem for the reporter. I think the issue is that although we do lookups for all different types of principals we do not lookup the plain names given by ldap_sasl_authid. This is fixed by the first patch.
The second patch changes to order of the lookups by moving a wildcards search after a specific one. I think it make sense to change it this way but since the old order is used since some time chances are that this change might break some setups. If you think the old order is better or changing the order is too risky, please just ignore this patch. bye, Sumit
From 97ad669a7ab6e34d0c9f9e9d6cdac9444f86ba12 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Mon, 17 Dec 2012 22:08:59 +0100 Subject: [PATCH 1/2] select_principal_from_keytab() look for plain input as well Currently in select_principal_from_keytab() all kind of different versions of the host principal are looked up in the keytab except for the plain name the ldap_sasl_authid option. With this patch the plain name is looked up first. --- src/util/sss_krb5.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c index 3837457..0eb032a 100644 --- a/src/util/sss_krb5.c +++ b/src/util/sss_krb5.c @@ -49,14 +49,18 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx, /** * Priority of lookup: + * - our.hostname@REALM or host/our.hostname@REALM depending on the input + * - our.hostname$@REALM (AD domain) * - foobar$@REALM (AD domain) * - host/our.hostname@REALM * - host/foobar@REALM * - host/foo@BAR * - pick the first principal in the keytab */ - const char *primary_patterns[] = {"%s$", "*$", "host/%s", "host/*", "host/*", NULL}; - const char *realm_patterns[] = {"%s", "%s", "%s", "%s", NULL, NULL}; + const char *primary_patterns[] = {"%s", "%s$", "*$", "host/%s", "host/*", + "host/*", NULL}; + const char *realm_patterns[] = {"%s", "%s", "%s", "%s", "%s", + NULL, NULL}; DEBUG(5, ("trying to select the most appropriate principal from keytab\n")); tmp_ctx = talloc_new(NULL); -- 1.7.7.6
From 80c5a014bc641f9569eb5057127ab4c9881218f8 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Mon, 17 Dec 2012 22:14:55 +0100 Subject: [PATCH 2/2] select_principal_from_keytab() do wildcard lookups after specific ones Currently the wildcard lookup '*$' is done before the one for host/our.hostname@REALM. This means we would ignore a more specific match in favour of an unspecific match with a principal which is only used in a AD environment. I think this is wrong an wildcards should only be used is all specific lookups fail. --- src/util/sss_krb5.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c index 0eb032a..1b8dc79 100644 --- a/src/util/sss_krb5.c +++ b/src/util/sss_krb5.c @@ -51,15 +51,15 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx, * Priority of lookup: * - our.hostname@REALM or host/our.hostname@REALM depending on the input * - our.hostname$@REALM (AD domain) - * - foobar$@REALM (AD domain) * - host/our.hostname@REALM + * - foobar$@REALM (AD domain) * - host/foobar@REALM * - host/foo@BAR * - pick the first principal in the keytab */ - const char *primary_patterns[] = {"%s", "%s$", "*$", "host/%s", "host/*", + const char *primary_patterns[] = {"%s", "%s$", "host/%s", "*$", "host/*", "host/*", NULL}; - const char *realm_patterns[] = {"%s", "%s", "%s", "%s", "%s", + const char *realm_patterns[] = {"%s", "%s", "%s", "%s", "%s", NULL, NULL}; DEBUG(5, ("trying to select the most appropriate principal from keytab\n")); -- 1.7.7.6
_______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
